This is a confirmation email sent from CVE request form at https://iwantacve.org/ asking you to accept the MITRE CVE Terms of Use (assuming you filled out the CVE form and want one, we can't use the data until you accept the MITRE CVE Terms of Use).

If you did not submit a CVE request to the DWF you can safely ignore this message, however we may resend it at some point in the future, if you don't want any future emails simply reply with "unsubscribe" or "DON'T SEND ME THIS EMAIL EVER AGAIN" and I'll add your email address to the block list so we don't spam you with these, please note that this will prevent you from being able to accept the MITRE CVE Terms of Use via the DWF automatically in future (you'll have to manually ask). But again, if you have no idea what a CVE is then you can ignore this/ask to be added to the block list with no problems.

MITRE CVE Terms of Use

LICENSE

Submissions: For all materials you submit to the Common Vulnerabilities and Exposures (CVEÂ®), you hereby grant to The MITRE Corporation (MITRE) and all CVE Numbering Authorities (CNAs) a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute such materials and derivative works. Unless required by applicable law or agreed to in writing, you provide such materials on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.

CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVEÂ®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.

My name is Morgan, and I work on GitHub’s User Policy team. We received word that one of your repositories contains sensitive or personal information that you may not have intended to make public, namely: private email addresses:

We wanted to give you a heads-up in case the information was published accidentally. If you need any help removing sensitive information that was committed by mistake, just let me know! We also have a handy guide here:

Please note that we may suspend repositories deemed to violate our Terms of Service, including those hosting sensitive or personal data. Please let us know if you have any questions and we'd be happy to help.

Nope it was published intentionally. In order to request a CVE Identifier, the person submitting the data has to be licensed so the CVE project and others can use it, thus you need to agree to the CVE Terms of Use (https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/blob/master/Terms-Of-Use.md). I must publish these publicly so I have proof that it was accepted properly. Additionally the email addresses submitted to the form at https://iwantacve.org/ are made public in a google spreadsheet, this is made OBVIOUSLY clear in the initial form. Additionally it is made clear that CVE is a PUBLIC database and information entered into it (like the description of the vulnerability,

Furthermore CVE has a policy that when requesting a CVE you MUST use a working email address so that

1) we can contact you to get acceptance of the Terms of Use

2) CVE users can contact the original requestor for clarification/details/etc

CC'ing the CVE board as I've brought this issue up (how do we handle GDPR related issues) as this provides a good example. Also CC'ing Robert/Marko as they had asked in a previous email how github can help the DWF (a major part would be ensuring trolls don't get people booted off of github). Thanks!